2.9.3.3 Security considerations with password authentication

The passwords are stored on the client side in a
trivial encoding of the cleartext, and transmitted in
the same encoding. The encoding is done only to
prevent inadvertent password compromises (i.e., a
system administrator accidentally looking at the file),
and will not prevent even a naive attacker from gaining
the password.

The separate CVS password file (see section 2.9.3.1 Setting up the server for password authentication) allows people
to use a different password for repository access than
for login access. On the other hand, once a user has
non-read-only
access to the repository, she can execute programs on
the server system through a variety of means. Thus, repository
access implies fairly broad system access as well. It
might be possible to modify CVS to prevent that,
but no one has done so as of this writing.

Note that because the `$CVSROOT/CVSROOT' directory
contains `passwd' and other files which are used
to check security, you must control the permissions on
this directory as tightly as the permissions on
`/etc'. The same applies to the `$CVSROOT'
directory itself and any directory
above it in the tree. Anyone who has write access to
such a directory will have the ability to become any
user on the system. Note that these permissions are
typically tighter than you would use if you are not
using pserver.

In summary, anyone who gets the password gets
repository access (which may imply some measure of general system
access as well). The password is available to anyone
who can sniff network packets or read a protected
(i.e., user read-only) file. If you want real
security, get Kerberos.